diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libssl/s3_lib.c | 13 | ||||
| -rw-r--r-- | lib/libssl/ssl_lib.c | 5 | ||||
| -rw-r--r-- | lib/libssl/ssl_locl.h | 10 | ||||
| -rw-r--r-- | lib/libssl/tls13_lib.c | 7 |
4 files changed, 30 insertions, 5 deletions
diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 9adf257ff32..252242e053b 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.188 2020/01/02 06:37:13 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.189 2020/01/23 10:40:59 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2502,6 +2502,16 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, !SSL_USE_TLS1_2_CIPHERS(s)) continue; + /* Skip TLS v1.3 only ciphersuites if not supported. */ + if ((c->algorithm_ssl & SSL_TLSV1_3) && + !SSL_USE_TLS1_3_CIPHERS(s)) + continue; + + /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ + if (SSL_USE_TLS1_3_CIPHERS(s) && + !(c->algorithm_ssl & SSL_TLSV1_3)) + continue; + ssl_set_cert_masks(cert, c); mask_k = cert->mask_k; mask_a = cert->mask_a; @@ -2509,7 +2519,6 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - ok = (alg_k & mask_k) && (alg_a & mask_a); /* diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 1b141b6e2c1..a6bdfaa4a10 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.209 2020/01/23 03:17:40 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.210 2020/01/23 10:40:59 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -2006,6 +2006,9 @@ ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) mask_a |= SSL_aRSA; mask_a |= SSL_aNULL; + mask_a |= SSL_aTLS1_3; + + mask_k |= SSL_kTLS1_3; /* * An ECC certificate may be usable for ECDH and/or diff --git a/lib/libssl/ssl_locl.h b/lib/libssl/ssl_locl.h index 2c774a3d77c..6703e8feeeb 100644 --- a/lib/libssl/ssl_locl.h +++ b/lib/libssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.254 2020/01/23 06:15:44 beck Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.255 2020/01/23 10:40:59 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -342,6 +342,10 @@ __BEGIN_HIDDEN_DECLS #define SSL_USE_TLS1_2_CIPHERS(s) \ (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) +/* Allow TLS 1.3 ciphersuites only. */ +#define SSL_USE_TLS1_3_CIPHERS(s) \ + (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) + #define SSL_PKEY_RSA_ENC 0 #define SSL_PKEY_RSA_SIGN 1 #define SSL_PKEY_DH_RSA 2 @@ -1046,6 +1050,9 @@ typedef struct ssl3_enc_method { /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) +/* Allow TLS 1.3 ciphersuites only. */ +#define SSL_ENC_FLAG_TLS1_3_CIPHERS (1 << 5) + /* * ssl_aead_ctx_st contains information about an AEAD that is being used to * encrypt an SSL connection. @@ -1094,6 +1101,7 @@ extern SSL3_ENC_METHOD DTLSv1_enc_data; extern SSL3_ENC_METHOD TLSv1_enc_data; extern SSL3_ENC_METHOD TLSv1_1_enc_data; extern SSL3_ENC_METHOD TLSv1_2_enc_data; +extern SSL3_ENC_METHOD TLSv1_3_enc_data; void ssl_clear_cipher_state(SSL *s); void ssl_clear_cipher_read_state(SSL *s); diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 5d8c3590145..91dd566864f 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.24 2020/01/23 07:30:55 beck Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.25 2020/01/23 10:40:59 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2019 Bob Beck <beck@openbsd.org> @@ -24,6 +24,11 @@ #include "ssl_locl.h" #include "tls13_internal.h" +SSL3_ENC_METHOD TLSv1_3_enc_data = { + .enc = NULL, + .enc_flags = SSL_ENC_FLAG_TLS1_3_CIPHERS, +}; + /* * RFC 8446 section 4.1.3, magic values which must be set by the * server in server random if it is willing to downgrade but supports |